lab 3: configuration of oim to manage user accounts ......oim 11g workshop - lab 3 12 2.2.8. on the...

OIM 11g Workshop – Lab 3

1

Lab 3: Configuration of OIM to manage user accounts

lifecycle in DSEE application

Contents Lab 3: Configuration of OIM to manage user accounts lifecycle in DSEE application .................................. 1

1. Introduction ............................................................................................................................................. 2

2. Contents.................................................................................................................................................... 2

2.1. Install DSEE Connector ..................................................................................................................... 3 2.2. Create IT Resources ........................................................................................................................... 8 2.3. Execute Direct Provisioning for Connector health-check ........................................................... 16 2.4. Extend OIM User schema to add custom attributes .................................................................... 23 2.5. Extend the connector to add support of custom attributes ........................................................ 31 2.6. Execute required Lookup reconciliation scheduled jobs ............................................................ 37 2.7. Configure Pre-populate adapters .................................................................................................. 40 2.8. Configure few Important Parameters for Request and RBAC based provisioning scenarios49

3. Conclusion ............................................................................................................................................. 52

OIM 11g Workshop - Lab 3

2

1. Introduction

ACME CAPITAL is all set to extend the provisioning solution to accommodate extra applications coming onboard from

MEDICLAIM acquisition. The Permanent Contact Number information for ACME OIM Users needs to be maintained. ACME

DSEE application is the source of this information where homePhone attribute is being maintained with the required value.

Also OIM has to be used to provision to ACME DSEE application instances and LCM of the DSEE accounts of existing

MEDICLAIM users would also be done from OIM, moving forward, account reconciliation would be needed from initially from

DSEE to OIM.

The need is recognized to install the OIM iPlanet connector pack to provide ACME the user/account provisioning/reconciliation

capabilities w.r.t. ACME DSEE application instances and also extend the connector to support the attribute homePhone storing the

Permanent Contact Number information.

2. Contents

2.1. Install DSEE Connector

2.2. Create IT Resources

2.3. Execute Direct Provisioning for Connector health-check

2.4. Extend OIM User schema to add custom attributes

2.5. Extend the connector to add support of custom attributes

2.6. Execute required Lookup reconciliation scheduled jobs


3

2.7. Configure Pre-populate adapters

2.8. Configure few Important Parameters for Request and RBAC based provisioning scenarios

2.1.Install DSEE Connector

Purpose

This step includes the configuration required to install OIM connector (SJSDS 9.0.4.4) to integrate OIM with DSEE

Steps

2.1.1. Extract first and then Copy the required connector pack (SJSDS_90440.tar) and files to the relevant directory locations

Extract SJSDS_90440.tar and Copy it from /odrive/installs/oim-cp directory to

/odrive/oracle/oim11g_MWH/Oracle_IDM1/server/ConnectorDefaultDirectory/

[oracle@orclfmw ~]$ cd /odrive/installs/oim-cp

[oracle@orclfmw oim-cp]$ cp -r SJSDS_90440/

/odrive/oracle/oim11g_MWH/Oracle_IDM1/server/ConnectorDefaultDirectory

Copy the required external jar file ‚ldapbp.jar‛ from /odrive/installs/oim-cp directory to

/odrive/oracle/oim11g_MWH/Oracle_IDM1/server/ThirdParty/

[oracle@orclfmw oim-cp]$ cp ldapbp.jar /odrive/oracle/oim11g_MWH/Oracle_IDM1/server/ThirdParty

2.1.2. In order to run the Connector Installation Wizard, log in to the Administrative and User Console by using the xelsysadm account.


4

2.1.3. Navigate to the Advanced Administration console. In the System Management Panel, click on Manage Connector.

2.1.4. A new Connector Management window will pop up. Click on Install button.


5

2.1.5. From the Connector List list, select Sun Java System Directory 9.0.4.4. This list displays the names and release numbers of connectors

whose installation files you copy into the default connector installation directory:


6

2.1.6. Click Load.

2.1.7. To start the installation process, click Continue.


7

The following tasks are performed in sequence:

2.1.8. If all three tasks of the connector installation process are successful, and then a message indicating successful installation is displayed,

you can click Create IT Resource.


8

Checkpoint

At this point you have installed the connector pack for Sun Java System Directory Server Enterprise Edition (DSEE) that is going to

be used for the next labs.

2.2.Create IT Resources

Purposes

This step includes the configuration required to create an IT resource for the relevant instance of DSEE server.

Steps

2.2.1. In order to create an IT Resource for the DSEE Connector, log in to the Administrative and User Console by using the xelsysadm

account.

2.2.2. In the Welcome page of the Advanced Administration, under Configuration, click Create IT Resource.

2.2.3. Alternatively, click the Configuration tab, click Resource Management, and then select Create IT Resource.

2.2.4. On the Step 1: Provide IT Resource Information page, enter the following information:

IT Resource Name DSEE Server ACME

IT Resource Type Select an IT resource type for the IT resource. Click the

lookup which will open another popup. On that one, select

‘LDAP Server’ and click Select.


9

IT Resource Name DSEE Server ACME

Remote Manager leave this field blank

2.2.5. Click Continue.


10

2.2.6. On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource, and then click

Continue.

Parameter Description

Admin Id DN value of the user who has administrator rights on Sun Java System Directory

The value is: cn=Directory Manager

Admin Password Password of the user who has administrator rights on Sun Java System Directory

The value is: abcd1234

Server Address IP address of the target Sun Java System Directory server

The value is: orclfmw.example.com

Port Port number to connect to the target Sun Java System Directory server

The value is: 1389

Root DN Base DN where all the user operations are to be carried out


11

Parameter Description

The value is: dc=mydomain,dc=com

SSL Specifies whether or not an SSL connection is used for communication between

Oracle Identity Manager and the target Sun Java System Directory server

The value is: false

2.2.7. On the Step 3: Set Access Permission to IT Resource page just clicks Continue.


12

2.2.8. On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you

want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.

2.2.9. To proceed with the creation of the IT resource, click Continue.


13

2.2.10.The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource

information. Iplanet connector which we are using in this lab does not support any connectivity test. Cick Create.

2.2.11.Click Finish.

Note: Please create three more IT resources using exactly the same connection parameters and other information as provided for the

IT resource above. These are required mandatory for configurations of Lab 5 - Advanced Provisioning Infrastructure. Repeat the

Steps 2.2.1 to 2.2.11 with following names, and MAKE SURE to set access permissions to these IT Resources as explained below:

DSEE Server, Johannesburg

DSEE Server, Prague


14

DSEE Server, Chicago

IMPORTANT!

For DSEE Server, Johannesburg, DSEE Server, Prague and DSEE Server, Chicago IT Resources make sure to do the following

procedure from the "Set Access Permission to IT Resource" step:

2.2.12.On the Step 3 : Set Access Permission to IT Resource step, click Assign Role

2.2.13.On the Assign Role step, check the assign checkbox for administrative role ALL USERS and then click Assign.

2.2.14.You will ONLY set Read Access permission to ALL USERS role


15

2.2.15.Back to the Step 3 : Set Access Permission to IT Resource page, click Continue

2.2.16.At Step 4 : Verify IT Resource Details page, click Continue

2.2.17.At Step 5 : IT Resource Connection Result page, click Continue

2.2.18.And then, click Finish


16

Checkpoint

At this point you have just created the IT Resources that are going to be used for the next labs.

2.3.Execute Direct Provisioning for Connector health-check

Purposes

This step is required to test if the provisioning module of installed DSEE connector is working properly. Reconciliation module of

the same connector will get verified in Lab 3 On-boarding, Reconciliation from applications (FlatFileApp, DSEE) used by the acquisition

(MEDICLAIM).

Steps

2.3.1. Ensure that DSEE Server is started and running successfully in the VM (Lab 1 has the relevant details for the steps involved).

2.3.2. For testing purposes create a user called zDSEEtest as the picture below.

Organization: ACME Health Insurance

User Type: Full-Time Employee


17

Note: Before starting to try direct provisioning, one issue with the iplanet connector installation needs to be fixed. There is a

problem with pre-population of a field ‚common name‛. Launch the Design console, Under folder Development Tools Form

Designer For the process form UD_IPNT_USR Button Create New Version Provide a Label value as fix –

Prepopulation and click Save icon. Make it the Current version. Click the tab Pre-Populate, remove the existing Pre populate

adapter associated with the field ‚common name‛, attach 'iPlanetPP String' adapter and map the field to User->Display Name.

Finally activate this particular version of the form.

2.3.3. Provision DSEE resource manually to test the integration for connectivity. Click tab Resources and choose option Add

2.3.4. Select iPlanet User and click Continue.


18

2.3.5. Click Continue.


19

2.3.6. In the Server attribute, select the lookup to choose the appropriate instance of DSEE:

Note : On this screen

2.3.7. Select ‘DSEE Server ACME’ and click Close.


20

2.3.8. This simple test requires neither DSEE Role nor Group. Just click Continue.


21

2.3.9. The last step is shown a Summary to the user. Review it and click Continue.

2.3.10.The provisioning for the user will be initiated.

2.3.11.Close window then click Refresh.


22

2.3.12.Using LDAP Browser or any other tool of your choice, verify in the DSEE server if the user got successfully provisioned.

Checkpoint

In this step you just created a user and executed a direct provisioning to test the connector.


23

2.4.Extend OIM User schema to add custom attributes

Purposes

This step includes the configuration required to extend OIM User schema to add a custom attribute Permanent Contact Number. In

this procedure, you will:

Extend OIM User Schema

Create Authorization Policy ‘CustomAttr_Perm_Contact_Number’

Steps

Detailed steps for adding custom attributes are already mentioned in Lab 2 - User Mgmt FGA. This section only provides you the

relevant screenshots to add the custom attribute Permanent Contact Number

Extend OIM User Schema

Create an attribute using the following information:

Attribute

Name

Category Name Back-end Attribute

Name

Display Type Properties

Permanent

Contact

Number

Basic User

Information

USR_UDF_CONNUM String Size: 50


24


25

Create Authorization Policy ‘CustomAttr_Perm_Contact_Number’

2.3.13.Create an Authorization Policy with Policy Name ‘CustomAttr_Perm_Contact_Number’, Description ‘AuthZ required to let

XELSYSADM view the custom attributes on modify user page’, Entity Name ‘User Management’. Give it Permissions to ‘View User

Details’ (select ‘All’ attributes) and ‘Modify User Profile’ (select ‘Permanent Contact Number’ attribute). Specify Data Constraints as

‘All Users’. In Assignment specify Assign by Role as ‘SYSTEM ADMINISTRATORS’.


26


27


28


29


30


31

Checkpoint

Finally the attribute Permanent Contact Number should be visible in the User Configuration.

2.5.Extend the connector to add support of custom attributes

Purposes

This step includes the configuration required to extend the OIM connector (SJSDS 9.0.4.4) to add the support for one more DSEE

user account attribute: homePhone.

Steps

Extend the process form to add the support for homePhone attribute


32

This will add the ‘Permanent Contact Number’ attribute on the DSEE connector process form UD_IPNT_USR

2.5.1. Under folder Development Tools Form Form Designer For the process form UD_IPNT_USR Button Create New Version

Provide a Label value as ‘add - Permanent Contact Number’ and click Save icon.

Add Permanent Contact Number attribute

2.5.2. Still in Form Designer, select Additional Columns tab, and click Add


33

A new line is created

2.5.3. Use the following information for the new attribute (double click in each field to edit):

Name UD_IPNT_USR_CONNUM (just type

CONNUM as the rest is completed

automatically)

Variant Type String

Length 50

Field Label Permanent Contact Number

Field Type TextField

Order Provide the right value by

incrementing one over the current

maximum figure.


34

2.5.4. Finally, choose the recently added version in the dropdown Current Version and click button Make Version Active. After the update,

ensure that the value of labels Latest Version and Active version get updated with the right text - add - Permanent Contact Number.


35

Add attribute mapping to iPlanet Lookup Definition

This will enhance the Attribute Map adding the relevant entry to the Attribute Map AttrName.Prov.Map.iPlanet

2.5.5. Under folder Administration Form Lookup Definition entry AttrName.Prov.Map.iPlanet Button Add

Code Key Permanent Contact Number

Decode homePhone


36

2.5.6. Click Save icon.

Checkpoint

In this step you have extended the connector to support a custom attribute called Permanent Contact Number which maps the

LDAP attribute homePhone.


37

2.6.Execute required Lookup reconciliation scheduled jobs

Purposes

This section includes the steps required to populate the relevant lookup codes with valid data entries present in the DSEE Server,

namely for DSEE roles and organizations. The lookup codes will then be used by LOVs on connector UI elements - process forms

and request datasets.

Steps

Execute Organization Lookup reconciliation scheduled job

2.6.1. Search for scheduled job iPlanet Organization Lookup Reconciliation and execute it after updating the following parameters with

the specified values.

ITResourceName DSEE Server ACME

SearchContext dc=mydomain,dc=com

2.6.2. Click Run Now


38

Execute Role Lookup reconciliation scheduled job

2.6.3. Search for scheduled job iPlanet Role Lookup Reconciliation and execute it after updating the following parameters with the

specified values

ITResourceName DSEE Server ACME

SearchContext dc=mydomain,dc=com


39

Checkpoint

Each of these scheduled jobs has a parameter named LookupCodeName. Look at the value there and you should be able to find a

Lookup Definition by that name in the design console. If the scheduled job is executed correctly, the lookup definition would be

populated with data entries extracted from the DSEE server.

For job iPlanet Organization Lookup Reconciliation, Lookup is ‘Lookup.IPNT.Organization’

For job iPlanet Role Lookup Reconciliation, Lookup is ‘Lookup.IPNT.Role’


40

2.7.Configure Pre-populate adapters

Purposes

This step describes the procedure to configure a pre-populate adapter on DSEE connector process form. In this section, you will:

Create a pre-populate adapter definition using Design console

Add the pre-populate adapter on the DSEE connector process form UD_IPNT_USR

Steps

Create a pre-populate adapter definition using Design console

2.7.1. Under folder Development Tools Adapter Factory Create a pre-populate adapter using the following information:

Adapter Name PrepopulateFormField

Adapter type Pre-populate Rule Generator

Description PrepopulateFormField


41

2.7.2. Click Save icon

Add variable

2.7.3. Click on tab Variable List. Click button Add. Window entitled Adapter Variable would open.

Variable Name formField

Type String

Description formField

Map To Resolve at runtime


42

2.7.4. Click Save icon

Add adapter task

2.7.5. Click on tab Adapter Tasks. Click button Add. Window entitled Adapter Task Selection would open. Select the Options :

Logic Task SET VARIABLE

2.7.6. Click button Continue


43

2.7.7. In the next window, Set Variable Task, set the following configurations:

Variable Name Adapter return value

Operand Type Variable

Operand Qualifier formField

2.7.8. Click Save


44

2.7.9. Close the window and compile the adapter by clicking the button Build. This should change the adapter Compile Status from

Recompile to OK. Finally, click Save icon.


45


46

Add the pre-populate adapter on the DSEE connector process form UD_IPNT_USR

2.7.10.Under folder Development Tools Form Designer For the process form UD_IPNT_USR Button Create New Version

Provide a Label value as add – Prepopulation and click Save icon. Make it the Current version. Click the tab Pre-Populate. Click

Add button.


47

2.7.11.On the window Pre-Populate Adapter, Set the following configuration:

Field Name Permanent Contact Number

Rule Default

Adapter PrepopulateFormField

2.7.12.Click Save. Order will get populated automatically.

2.7.13.In the section Adapter Variables, select the only entry and click Map


48

2.7.14.New window Adapter Variable will open up. Set the following configuration:

Variable Name formField

Data Type String

Map To User Definition

Qualifier Permanent Contact Number

2.7.15.Click Save. Order will get populated automatically.

2.7.16.Finally, set the form version ‘add – Prepopulation’ active. It should finally show up as the Active Version.


49

Note:

Please remove the pre-populate adapter adpiplanetcommonnameppstring that is attached to column Common name

Checkpoint

If you practice direct provisioning of DSEE accounts (resource object - iPlanet User) to OIM Users assigned with a value of

Permanent Contact Number, the process forms for the connector will be launched pre-populated with the right value.

2.8.Configure few Important Parameters for Request and RBAC based provisioning scenarios

Purpose

This step descries the procedure to configure a pre-populate adapter on DSEE connector process form. In this section, you will:

Update DSEE connector Resource Object

Update DSEE connector Process Definition

Steps

Update DSEE connector Resource Object

2.8.1. Launch Design console. Under folder Resource ManagementForm Resource Object For the resource object iPlanet User

Check the checkboxes Allow Multiple and Self Request Allowed and click Save icon.


50

Allow Multiple flag is required if for the same OIM user we would want to provision more than one instances of resource object

iPlanet User.

Self Request Allowed flag is required if you want an OIM user to be able to request for resource object iPlanet User using OIM Self

service console. Also additional relevant request templates could be configured as explained in further lab

Update DSEE connector Process Definition

2.8.2. Under Folder Process ManagementForm Process Definition For the process definition iPlanet User Check the

checkboxes Auto Pre-populate and Auto Save Form and click Save icon.


51

Auto Pre-populate flag is required to automatically trigger the pre-populate adapters configured on the process form of resource

object iPlanet User when provisioning operation is getting executed for the same. If this flag is not checked, Pre-populate button has

to be clicked to fill in the form on the OIM UI if direct provisioning is taken into practice.

Auto Save Form flag is required for automatically saving the instance of process form of resource object iPlanet User during a

provisioning operation. If this flag is not checked, the process form would launch on the OIM UI with pre-populated data (if pre-

populate adapters and the Auto Pre-populate flag are configured) or blank before provisioning data is finally saved and passed

forward to the provisioning target.


52

3. Conclusion

In this lab, you accomplished the following:

Install Connector

Create IT Resources

Extend Attribute Mapping

Create Pre-populate adapters

Relevant features that you should explore further:

Extending/Customizing User Create-Update-Delete events by adding custom java code. This can be achieved by adding

pre-process, validation and post-process orchestration handlers on the OIM User entity, as explained in Lab 4.

lab 3: configuration of oim to manage user accounts ......oim 11g workshop - lab 3 12 2.2.8. on the...

Documents